Mark Minasi Writer Speaker Consultant helpminasicom Twitter mminasi join my newsletter at wwwminasicom Windows 10 Azure AD and the like offer us a lot of options so sometimes its a little hard to keep them straight ID: 558080
Download Presentation The PPT/PDF document "Windows 10 Management Scenarios: Mark Mi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Windows 10 Management Scenarios: Mark Minasi Helps You Have Total Control for Every Budget
Mark Minasi
Writer, Speaker, Consultant
help@minasi.com
Twitter @
mminasi
join my newsletter at www.minasi.comSlide2
Windows 10, Azure, AD and the like offer us a lot of options, so sometimes it's a little hard to keep them straightIn this session, I'll outline many of the combinations with an eye to
What it does
What it costsWhat are the ingredientsThis is all "200" levelAnd I'll demo what I can
Hello and Welcome!Slide3
Identity SolutionsWindows Store App ControlControlling Apps
Keeping
corp data on personal devices safeWhatever else I have time forTopicsSlide4
"Don't Do Anything"Again, Microsoft supports Windows 7 until 2020, Windows 8 until 2023There is no rush unless you're running Windows 7 Professional, as the free upgrade to Windows 10 is only available for a year
First, Though, Remember Option OneSlide5
"Just keep doing what you're doing"If your Win 10 devices are running full Windows Pro or Enterprise, then group policies,
Vbscripts
, PowerShell scripts, Ochestrator runbooks, workflows etc all work as well as they ever did
And Remember Option TwoSlide6
Identity in Windows 10
You've always had a lot of choices in where to store your identity and your machine's. Win 10 adds one t the mixSlide7
Enabling tech: Microsoft Accounts (MSAs) -- Hotmail, live, outlook.com accountsWhat it does:
gives you an identity recognized by your computer and many Web locations
Lets you sync some settings between devicesMachine is registered with Microsoft for sync and auth purposesLets Store apps roam with your accountMinimal MDM… password minimums, scripts can sometimes fill in
Works on a wide variety of devices
Cost
:
zero
Fine for homes or very, very small orgs
Option One: Local AccountsSlide8
Ingredients: DCs, network, "full" WindowsWhat it does: Rich device, app, and security management via group policies
App roaming via group policies or
Config ManagerDesktop roaming via roaming profiles and folder redirectionWide software libraryCost: AD infrastructure, CALsOf little or no value for phones, non-Microsoft tablet devices
Can only join one domain
Option Two: AD-JoinedSlide9
Ingredients: AAD, probably O365, Win 10 devicesSteps: enable device join in Azure, Create AAD accounts (either sync them or create new ones)
What it does:
Enables Conditional Access for filesMDM via third party, inTuneProvides identity for Store appsCost: O365 or AAD charges per-userNo on-prem
required; can only join one AAD; can't be joined to an AD
Option 3: Azure AD, Cloud Join Slide10
Demo: Azure AD Device Registration and Cloud JoinSlide11
Deploying Apps to Devices
Acquiring Modern/Store/Universal apps and getting them on Windows 10 devicesSlide12
Ingredients: an MSA (Microsoft Account), credit cardWhat it does:Lets you get any application in the Windows store onto a compatible device
Remembers your apps and roams them to devices
You can put your LOB apps into the Store (but the world sees them)You can sideload LOB apps you don't want to put in the storeDeploy LOBs with add-appxpackage
Requires organizational users have credit cards
Limited org data governance
Option One: Use the Windows StoreSlide13
Demo: New Windows Store (kind of)Slide14
BusinessStore.Microsoft.comCost: Nothing -- all Web-basedIngredients: Azure AD accounts or MSA
Log onto BSP with your MSA, get personal apps
Log onto the Business Store Portal with your AAD creds, see the org's appsAdmin can block categories like "Food and Dining"Can create a category for the organizationCan acquire X copies of the app for the org
Option Two: Business Store Portal (BSP)Slide15
Accepts payments besides credit cards -- PO or invoiceYou can download the Appx
package for the modern app
Once you have the package, you can deploy offline, or install with PowerShell Add-AppXPackageAdmin can control app licenses (portal is there)No inTune needed, no Config
Manager needed
LOBs have to go into the store to be accessible
Option Two, ContinuedSlide16
Admin sets up the BSP with an admin-level AAD account with a browserUser logs in with AD, AAD, or MSA account to the Store
Apps are automatically updated via the Store (actually the Store service)
Admin can explicitly assign an app to a user, so the user need do nothing, or have it appear in the StoreMore DetailsSlide17
Ingredients: inTune or Config
Manager,
appx packages acquired from the BSP, AAD or MSA accountCost: inTune licences or perhaps System Center licensesAdditions:
Apps can be delivered with an MDM/MAM tool
LOB apps need
not
be uploaded to the store and can be
sideloaded
Store apps can be delivered even when systems are offline or if the Store has been disabled
Option Three: Create an Enterprise StoreSlide18
You can deploy Desktop apps as wellYou can do B2B distribution(And thus LOB and B2B apps can be kept private)
User logs onto the Company Store rather than Store
If you use an MDM…Get the apps as beforeIn the service, link to the apps' locations in the storeWhen the user logs in with an AD or AAD account, the MDM/MAM deploys the app
Option Three ContinuedSlide19
BSP, get apps, download appxSet the
appxes
out either as packages to be deployed, or put them in the Company StoreSCCM DetailsSlide20
You can control the automatic updates, can schedule them rather than now, which does updates as soon as possibleAPIs expose the whole thing and support agent-based solutions like
Config
ManagerWhen you leave an organization and can no longer sign on with AD or AAD, you lose access to the org apps and their data storesOf course, you always have your MSA appsOther DetailsSlide21
Controlling Apps in Windows 10
Reducing friction getting to apps we
want
people to run, and blocking the things we
don't
want them runningSlide22
Server 2008 introduced Terminal Services RemoteAppsBasically it delivers a RDS session inside a window, looking like a local app
Never really caught on in the Windows world, but it's popular in the Citrix world
Azure, however, has RemoteAppsAzure RemoteAppsSlide23
Build an Azure image with the appLog onto the portal, go to RemoteApps
Deploy as icons or paths
Must survive a SysprepDeploy to users via Azure Portal, something easier is probably on the wayNo Modern apps
Works
on any Windows… but Win 10 speeds it up
Azure
RemoteAppsSlide24
As we all know, most IT pros' favorite malware delivery tool is a USB stickDeviceGuard in Windows 10 slows that down
You have a list of approved executables, or perhaps a rule to "only run signed code," or code signed by some party
Comes with a signing tool that lets you sign your in-house stuff in case you don't have a PKI in placeDeviceGuard: Crush USB MalwareSlide25
There's a GP setting that said "you can only elevate signed apps," and there was AppLocker
But they're little-used and could be bypassed by a local admin
Win 10, however, uses a Virtual Secure Mode (VSM) wherein Hyper-V hosts a mini-Windows where the LSA runs in 1 GB of RAMProvides a virtual TPM for VMsMay need 2016 Server's AD
"Wait a Minute, Haven't I Heard This Before…"Slide26
Off by defaultIn Group Policies: Computer / Admin Templates / System / DeviceGuard
, Turn On Virtualization Based Security
Will not work unless your system uses Secure BootEnabling ItSlide27
Thanks for attending, please do an evaluationJoin my newsletter mailing list at www.minasi.com
Thank You! Follow me at @
mminasi Slide28